Have a look at how other identity and access management vendors (e.g., Okta, Auth0) solve this problem and that will give you an idea as to which parts of the problem Keycloak can solve.
Also see: Multi-Tenancy - realm resolution based on username (email address)